When it comes to cybersecurity, government defenses tend to be measured against broad threats such as cyberespionage and possible nation state attacks on the country’s critical infrastructure. As recent studies show, however, that focus may be a bit wayward.

Symantec’s 2014 Internet Security Threat Report shows yet again why it’s the smaller, oft-used threats that likely remain the biggest problem for agencies. Those have grown in number, but also continue to evolve in response to the development of better defenses.

Spear phishing, for example, was a major problem in the past but had been seen as diminishing as other threats grew and took up more of organizations’ attention. Not so, according to Symantec, which called reports of the death of spear phishing “greatly exaggerated.” In fact, while the total number of emails used per phishing campaign decreased, along with the number of targets, the total number of campaigns almost doubled in 2013.

“This ‘low and slow’ approach (campaigns also run three times longer than those in 2012) are a sign that user awareness and protection technologies have driven spear phishers to tighten their targeting and sharpen their social engineering, Symantec said.

The even worse news? Government is in the top three targets for these kinds of attacks, the report said, with odds of 1 in 3.1 that at any given time a government employee is being subject to a phishing attack (though, admittedly, the method they used to come up with that ratio is a little fishy!).